The Hacker News — Cyber Security, Hacking, Technology News

A simple, yet effective flaw discovered on eBay's website exposed hundreds of millions of its customers to an advance Phishing Attack.

An Independent Security Researcher reported a critical vulnerability to eBay last month that had the capability to allow hackers to host a fake login page, i.e. phishing page, on eBay website in an effort to steal users' password and harvest credentials from millions of its users.

The researchers, nicknamed MLT, said anyone could have exploited the vulnerability to target eBay users in order to take over their accounts or harvest thousands, or even millions, of eBay customers credentials by sending phishing emails to them.

MLT published a blog post about the eBay flaw on Monday, demonstrating how easy it is to exploit the flaw like this and steal customers' passwords.

Here's How ebay Hack Works

The flaw actually resided in the URL parameter that allowed the hacker to inject his iFrame on the legitimate eBay website.

This is a common web bug, technically known as a Cross-Site Scripting (XSS) vulnerability, in which attackers can exploit the vulnerability to inject malicious lines of code into a legitimate website.

MLT included an iframe link to his own 3rd-party phishing page within eBay's regular URL, which makes it look like the login page "was hosted on the legitimate eBay website".

The login page looked almost exactly like eBay's actual login page, except the second part of the customised URL, which most of the users don't even notice.

In this case, the iFrame containing the researcher's phishing page was injected to the page using the following payload:

After this was done, MLT typed his username and password on the infected website and hit sign in, which gave him an error. But meanwhile, he was able to snatch the entered credentials in plaintext.

Video Demonstration

MLT also provided a video proof-of-concept, demonstrating the flaw in real-time. You can watch the video below:

MLT responsibly reported the flaw to eBay on December 11, but after an initial response asking for more information the following day, the company stopped responding to the researcher’s emails and did not release a patch, even after knowing the consequences of the flaw.

However, when media contacted eBay asking about the vulnerability, the company rushed to release a patch on Monday and acknowledged MLT's finding on its site's page dedicated to thanking white hat hackers who responsibly report bugs on its website.

Four month ago, a massive data breach on the eBay website affected 145 million registered users worldwide after its database was compromised. Meanwhile, another critical vulnerability on the eBay website was reported, allowing an attacker to hijack millions of user accounts in bulk.

An Egyptian security researcher ‘Yasser H. Ali’ informed The Hacker News about this vulnerability 4 months ago, which could be used by the cyber criminals in the targeted attacks. At that time, Mr.Yasser secretly demonstrated the vulnerability step-by-step to ‘The Hacker News’ team and we confirmed - IT WORKS.

Since it was not addressed by the eBay security team, we kept the technical details of this vulnerability hidden from our readers. But, as we promised to share the technical details of this interesting flaw, once after eBay team patch it. So, Here we go!

The vulnerability Yasserfound could allow you to Reset Password of any eBay user account and that too without any user interaction or dependency. The only thing you required is the login email ID or username of the victim you want to hack.

BUT HOW TO HACK ANY eBAY ACCOUNT?

Basically to recover the forgotten password, user is first redirected to a password reset page, where eBay page first generates a random code value as HTML form parameter “reqinput”, which is visible to the attacker as well using Browser’s inspect element tool.

After the user provides his/her email id and presses the submit button, eBay generates a second random code, which is unknown to anybody else except the users themselves, and send the code along with a password reset link to the eBay user with the registered email address.

Once the user clicks on the password reset link provided in the email, user will be redirected to an eBay page with new password set option, where the user only needs to enter a new password twice and has to submit it, in order to reset his eBay account password.

HERE THE VULNERABILITY RESIDES

Yasser noticed that instead of using the secret code, the new password HTTP request sends the same respective “reqinput” value that has been generated in the first request, when the user clicked on reset password and which is known to the attacker, as shown:

As Proof-of-Concept, the researcher targeted one of our team members’ temporary account with email address info@thehackernews.com. First he made a password reset request at eBay for the targeted email ID and saved the generated ‘reqinput’ value from the inspect element.

Then he directly crafted a new HTTP request to the eBay server at password reset form action with the known “reqinput” value, new password, confirm password and password strength parameters.

BANG!! He successfully able to reset our eBay account password without our team member’s interaction within a while.

LARGE SCALE AUTOMATED ATTACK

A sophisticated hacker could had launched an automated mass password reset request attack for all those email accounts which were leaked in previously reported massive eBay data breach.

The company has already patched the vulnerability after Yasser responsibly disclosed the flaw to the eBay security team. But, this 4 months delay in delivering the patch could have compromised millions of eBay users’ accounts in a targeted attack, even if you had changed your password after the data breach.